I just installed the latest WM6.1 rom by Kavana. I'm trying to connect to my private/work network, and I need to use EAP type "Smart Card or Certificate", but only PEAP and TLS are listed. Are there any solutions to this issue? I searched on this forum, but could only find the same question asked (but not answered) here:
http://forum.xda-developers.com/showthread.php?p=2028467&highlight=Smartcard#post2028467
Thanks!
Sorry for the lack of details but I had a similar problem. There are several google references to various ways to get certificates working. You can also disable certificate checking which is what I elected to do for now.
To force WM5 or WM6 to accept the PEAP server's certificate without attempting any other validation, add the following registry key:
[\HKLM\Comm\EAP\Extension\25\]
"ValidateServerCert"=dword:00000000
This worked for me. More good hacks and the full article/blog http://www.mobilewave.ro/forum/topic-2549.html
Can you link to those several references on google? Why is the smartcard or certificate option missing from this rom anyway? Are there any registry hacks to get this option back?
Hey man, do your home work and google and you can always change the registry entry if you think that the network your are connecting too is not trustworthy. Otherwise I think you will spend many hours of trial and error like I did.
I tried
"ValidateServerCert"=dword:00000000
I am still not able to connect to network. Also as said above, the TLS is not showing the certificates & smartcard. Also when I click on TLS "properties" nothing shows up. I have certificates installed, I can see it from Settings->Security->Certificates.
Any help. It is getting very frustrating.
Bump. Please chime in.
L2TP work as well.
IKEv2 not route , and can not get the vaild IP address.
Can anyone solve this problem?
0oVicero0 said:
L2TP work as well.
IKEv2 not route , and can not get the vaild IP address.
Can anyone solve this problem?
Click to expand...
Click to collapse
are you on Redstone build ?
seems VPN broken on Redstone , not only IKEV2
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
VPN is broken in Windows 10. Period! Microsoft it's not going to fix it.
w.bogdan said:
VPN is broken in Windows 10. Period! Microsoft it's not going to fix it.
Click to expand...
Click to collapse
No period. It's broken, but it can be made to work. Who put you in charge of dropping the period?
DLS123 said:
No period. It's broken, but it can be made to work. Who put you in charge of dropping the period?
Click to expand...
Click to collapse
Search for "Windows 10 DNS resolution" or other VPN related issues in Windows 10. It's not a bug, it's a feature ... for NSA, the government of China and so on.
w.bogdan said:
Search for "Windows 10 DNS resolution" or other VPN related issues in Windows 10. It's not a bug, it's a feature ... for NSA, the government of China and so on.
Click to expand...
Click to collapse
I know about it and took measures against it. They call it Smart multi-homed name resolution. It can be disabled on Desktop and also the order of DNS servers used can be set for each VPN connection. This isn't really caused by the broken built-in VPN client, but the way Windows 10 itself works out of the box.
DLS123 said:
I know about it and took measures against it. They call it Smart multi-homed name resolution. It can be disabled on Desktop and also the order of DNS servers used can be set for each VPN connection. This isn't really caused by the broken built-in VPN client, but the way Windows 10 itself works out of the box.
Click to expand...
Click to collapse
It's not just desktop. On W10M, DNS leaks, VPN connected icon is barely visible and you don't get notified if the VPN connection drops. Is hard to believe Satya Nadella is so dumb not to notice.
w.bogdan said:
It's not just desktop. On W10M, DNS leaks, VPN connected icon is barely visible and you don't get notified if the VPN connection drops. Is hard to believe Satya Nadella is so dumb not to notice.
Click to expand...
Click to collapse
I know there are DNS leaks on W10Mobile and multi-homing can't be disabled, but I don't have a problem with that. The purpose of VPN for me is to gain access to other private networks and encrypt the communication with them. DNS leaks aren't that critical. It's not like I don't want my employer to know what websites I access while connecting to VPNs from their network. I couldn't care less to be honest that they're logging my DNS querries. And I also don't live in China.
Even if they have my DNS records they still won't ever be able to break the encrypted IPsec tunnels and get any glimpse of what's passing through them.
Wasn't able to download rasphone.pbk from the phone but could upload one.
I used my Windows 10 PC and created the connections there. Then I disabled IpPrioritizeRemote and used the powershell cmdlet Add-VpnConnectionRoute to add a route to the pbk file pointing to my local subnet.
I am now able to connect to the internet and access corporate resources at the same time.
I however couldn't connect from one particular app which worked in 8.1. There may be issues with non universal apps.
DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
Click to expand...
Click to collapse
Thanks!!! It's working fine!
I think Microsoft do not want to fix it.
0oVicero0 said:
I think Microsoft do not want to fix it.
Click to expand...
Click to collapse
Yeah, looks like that's the case. There is very little feedback in insider hub about VPN problems. Very few care about these issues so probably MS has no incentive to fix and prefer to rely on MDM for VPN configuration on these devices. Now if only that were an option for mere mortals...
How to import self-signed key or export builtin cert for a strongswan server?
DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Click to expand...
Click to collapse
How did you get the VPN connection set up properly (aside from the IpPrioritizeRemote setting)?
I've set up a strongswan server and generated my own self-signed keys using ipsec pki, but when I import the key to my Lumia 1520 (by tapping it using the Files app and tapping import at the prompt), the VPN connection will not send that cert. Instead it sends a certificate issued by CN=Microsoft Genuine Windows Phone CA15" with an OU that looks like a GUID.
So I tried punting and just exporting that certificate to place on my strongswan server ... but I can't figure out how to get the certificate off the phone either. So how do I do either one?
rlively said:
How did you get the VPN connection set up properly (aside from the IpPrioritizeRemote setting)?
I've set up a strongswan server and generated my own self-signed keys using ipsec pki, but when I import the key to my Lumia 1520 (by tapping it using the Files app and tapping import at the prompt), the VPN connection will not send that cert. Instead it sends a certificate issued by CN=Microsoft Genuine Windows Phone CA15" with an OU that looks like a GUID.
So I tried punting and just exporting that certificate to place on my strongswan server ... but I can't figure out how to get the certificate off the phone either. So how do I do either one?
Click to expand...
Click to collapse
I don't know what self generated certificate your phone sends, but you shouldn't use that.
You should generate a client certificate on the strongswan server then you should include both the root CA and the client certificate and pack them together in a PKCS 12 file (.p12) which you open on the phone and import. The phone will choose the proper certificate stores to import to. Did you do that?
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
Just follow this tutorial., with the only mention that you should add "--flag clientAuth" to the command line for generating the client certificate.
DLS123 said:
I don't know what self generated certificate your phone sends, but you shouldn't use that.
You should generate a client certificate on the strongswan server then you should include both the root CA and the client certificate and pack them together in a PKCS 12 file (.p12) which you open on the phone and import. The phone will choose the proper certificate stores to import to. Did you do that?
Just follow this tutorial., with the only mention that you should add "--flag clientAuth" to the command line for generating the client certificate.
Click to expand...
Click to collapse
Thanks, that is a good tutorial - I definitely did not use the clientAuth flag (the ipsec tutorial for openWRT didn't include it: openwrt doc/howto/vpn.ipsec.roadwarrior), so I tried generating new certs with clientAuth. Unfortunately I got the same results. My Win10 phone sent the same "Microsoft Genuine Windows Phone CA15" cert.
Did you import the PKCS 12 file just by tapping it in the Microsoft "Files" app on the phone or did you use another method? I'm verifying the certs with the Microsoft "Certificates" app, which does show that the original cert I generated has no "Enhanced usages" but the second has "Client Authentication." Still the builtin VPN client won't pick it to send to my strongSwan server.
I did away completely with my configuration and started over with the win7 configuration here: strongswan wiki: Win7CertReq but none of it will help if I can't get my phone to actually send the correct certificate ... this configuration did something a little different though:
My phone sent the correct certificate in the "received TLS peer certificate" line followed by these error messages:
no trusted certificate found for 'my-CN-here' to verify TLS peer
sending fatal TLS alert 'certificate unknown'
Despite the fact that I have the certificate pem in /etc/ipsec.d/certs ...
in any case it continues on and sends the Microsoft cert afterwards and then the server throws "no peer config found" (since I don't have the public cert loaded for that MS cert).
Followed up on the error here: strongswan wiki /issues/785
I also tried it with "eap_identity=%identity" instead of "eap_identity=%any".
Frustrating that it works great for Win7 but I just can't get a Win10 phone working. Any guides out there specifically for Windows phone + Strongswan?
rlively said:
Thanks, that is a good tutorial - I definitely did not use the clientAuth flag (the ipsec tutorial for openWRT didn't include it: openwrt doc/howto/vpn.ipsec.roadwarrior), so I tried generating new certs with clientAuth. Unfortunately I got the same results. My Win10 phone sent the same "Microsoft Genuine Windows Phone CA15" cert.
Did you import the PKCS 12 file just by tapping it in the Microsoft "Files" app on the phone or did you use another method? I'm verifying the certs with the Microsoft "Certificates" app, which does show that the original cert I generated has no "Enhanced usages" but the second has "Client Authentication." Still the builtin VPN client won't pick it to send to my strongSwan server.
I did away completely with my configuration and started over with the win7 configuration here: strongswan wiki: Win7CertReq but none of it will help if I can't get my phone to actually send the correct certificate ... this configuration did something a little different though:
My phone sent the correct certificate in the "received TLS peer certificate" line followed by these error messages:
no trusted certificate found for 'my-CN-here' to verify TLS peer
sending fatal TLS alert 'certificate unknown'
Despite the fact that I have the certificate pem in /etc/ipsec.d/certs ...
in any case it continues on and sends the Microsoft cert afterwards and then the server throws "no peer config found" (since I don't have the public cert loaded for that MS cert).
Followed up on the error here: strongswan wiki /issues/785
I also tried it with "eap_identity=%identity" instead of "eap_identity=%any".
Frustrating that it works great for Win7 but I just can't get a Win10 phone working. Any guides out there specifically for Windows phone + Strongswan?
Click to expand...
Click to collapse
I import the certificates from file explorer on phone or from the OneDrive app, doesn't matter.
Have you actually set the EAP identity correctly in the client certificate? CN has to be exactly the same as --san
That's the eap_identity which has to be known if you use EAP-TLS.
I don't know what else to say, maybe post your ipsec.conf with censored IPs
DLS123 said:
I import the certificates from file explorer on phone or from the OneDrive app, doesn't matter.
Have you actually set the EAP identity correctly in the client certificate? CN has to be exactly the same as --san
That's the eap_identity which has to be known if you use EAP-TLS.
I don't know what else to say, maybe post your ipsec.conf with censored IPs
Click to expand...
Click to collapse
For the moment I just have mschap authentication with no certificate and it works. The certificate is just giving me fits.
On my client certificate my CN is not the same as the san. My san is set to the FQDN of my VPN server ... the CN of my client certificate is an identifier for my client.
What does the VPN server use for eap_identity - the CN from the client certificate when set to eap_identity=%identity ?
---------- Post added at 10:01 PM ---------- Previous post was at 09:35 PM ----------
rlively said:
For the moment I just have mschap authentication with no certificate and it works. The certificate is just giving me fits.
On my client certificate my CN is not the same as the san. My san is set to the FQDN of my VPN server ... the CN of my client certificate is an identifier for my client.
What does the VPN server use for eap_identity - the CN from the client certificate when set to eap_identity=%identity ?
Click to expand...
Click to collapse
My server certificate does have a CN and san that match. I thought I read somewhere that having that same value in the client san would help the client match up the cert to send to the server, at least for Windows Phone. Of course I can't find that guide now, so maybe I misread. I do see that in the example on https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ that the server CN and san match and the client CN and san match each other.
In the client certificate you should have [email protected]_FQDN --san server_FQDN --flag clientAuth
the eap_identity used by strongswan is the part before @ from CN.
It won't match anything when using eap_idenity=%identity if you don't do it like this.
Are there any relevant registry files we can access with interop tools?
DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
Click to expand...
Click to collapse
Hi I tried your manual, unfortunately without any success
If I Read it correctly you do the following steps:
1) Format sd card on NTFS
2) On the sd card create symbolic link to: C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections
3) Insert sd in phone
4) Create a vpn connection on the phone
5) Delete al the vpn connections on the phone
6) Use the phone to put a new (modified) rasphone.pbk file on the sd card (though onedrive??). I cant access my sd om my pc when usb is connected
7) Reboot the phone
8) Make a new vpn connection (can it have a different name?)
Can someone verify if i miss something?
I'll be very happy if this works
x-post from miui forum
Hi,
I'm having some issues installing MobileIron MDM on my Mi 6, I'm running MIUI 10 Global 8.9.13 Beta. The installer works and the device is passing all required checks (i.e. device is encrypted, not rooted etc.) and the configuration is starting. But there's one point during the configuration which requires the installation of a certificate. At that point the installer is asking the user to enter a password by pressing and holding the password field for the context menu to paste the password which should be on the Android clipboard (see screenshot) which doesn't work, there is no password on the clipboard. I can use the 'Paste' function but nothing is entered into the password field.
I've done this on other phones and other Android versions before and it has always worked without any issues.
Has anybody of you encountered such a problem before? Copy/Paste generally works in other applications but during the installation the clipboard remains empty (I also tried to paste into a text field in a different application, didn't work).
Has something around the handling of certificate installations and/or access to the clipboard changed in MIUI 10?
Many thanks in advance!
BR,
Thorsten
I was able to fix it today. I've been trouble-shooting this with a Xiaomi Mi 5 and Xiaomi Mi 6 phone on different versions (MIUI 9 and MIUI 10, both global stable and global developer) but I now believe the version doesn't really matter, the "fix" should be applicable to all versions with this issue.
Here's a brief description of what happened -- this might make a bit of a confusing read, but bear with me: During the installation the user gets that notification about “Press paste on the next screen to insert password for the certificate….” but the next screen is not the certificate import (it is most likely a system dialog asking for the regular device PIN but I couldn’t fully test that step).
So there's that dialog where I thought I should paste the certificate password -- the step that repeatedly hadn’t worked. Today I finally used the “forgot password” function. I had tried that before but always cancelled it because the “forgot password” function was just asking for another password – which didn’t make sense to me at that time.
Today I noticed how the “forgot password” function brings up a dialog which contains my MI account number. That made me realize that the FIRST dialog might have actually asked for my device PIN (despite asking for a password) with the second dialog (after the “forgot password”) providing the option to remove the device PIN (or password) by entering the MI account password.
Long story short: I entered my MI account password which kind of “unlocked” the whole (and terrible) “import certifcate, don’t change certificate name, paste password” ordeal. [email protected] is working flawlessly now. It seems there’s some form of MIUI function around the MI account “protecting” the certificate store, that's why that MIUI dialog interfered with the [email protected] installation in an unfortunate and unexpected way.
Good luck to all who run into the same issue.
Hello Guys! I wanted to ask that is there any solution for getting rid of this "Device is not Certified" without/with root? I have flashed Phusson's GSI and then GApps Micro but the first error j get is that on Setup screen, it sticks on Checking for Update no matter how much time I give it to check(Problem 1). The second problem is that I have sent the Android device ID (or whatever) used to certify the device but if no avail. It's still saying not Certified. I can spoof it by Magisk, that it is Certified by a module ummm... I forgot it's name(but it's not PlayStore Visa for sure) but still I can't use Google Play services in my device. Whenever I use an app that requires so, it gives an error that "Google Play Services is having trouble .....". What can I do to resolve this issue and use Google Play Services?
SafetyNet vs. Full Block
This seems to be a chronic problem for GSIs, but there are really two distinct levels of hell here:
Google Play Store -> Settings -> Play Protect certification reads "Device is not certified" and apps requiring SafetyNet won't work
Google Play Services completely blocks your device, and a barrage of noisy alerts are generated as soon as you attempt to log in
Many users won't even notice the first limitation, but the second blocks the setup wizard and makes the device effectively unusable until you register the GSF in on Google's registration page. But can anyone tell me why some custom ROMs trigger the second behavior and others don't?
As a custom ROM developer, some of my builds (usually the ones based on GSIs with an OEM vendor partition) have required device registration to be usable, and I'd really like to avoid that. I've tried spoofing known-good build fingerprints like some Magisk modules, but that hasn't worked so far. Has anyone found a decent workaround?
Or even better, can custom ROM developers just register our build fingerprints with Google? (I realize that this still won't satisfy SafetyNet, but it would allow custom ROM developers to go legit.)
It will never show up as certified if the build is not signed (or signed with public keys), and selinux is disabled. If that's not the case, you can try setting BUILD_SIGNATURE prop from latest OEM stable build and match your device.
baunilla said:
It will never show up as certified if the build is not signed (or signed with public keys), and selinux is disabled.
Click to expand...
Click to collapse
I'm not really interested in getting a "Device is certified" message (a.k.a. SafetyNet certification) with custom ROM development, since having the bootloader unlocked is going to cause it to fail anyway.
One thing I've noticed that seems to cause Google Play Services to block any login is when the GSI is signed with test keys and the OEM vendor partition is signed with release keys. Considering that we probably don't have the OEM's private release keys, is there any way to re-sign the vendor partition with test keys?
And interestingly enough, apps like Netflix are actually more likely to work if selinx is set to permissive. I've used that workaround on my custom ROMs before.
this is a very important topic, it is strange that it attracts so little attention.
One thing that I have discovered is that running "adb shell su 0 /system/bin/phh-securize.sh" to disable root on GSI AOSP builds by @phhusson will copy the required properties to look like stock ROM. This makes Play Protect play nice and you no longer have to register your GSF ID to stop the constant barrage of alerts.
I haven't had the time to figure out how he does it, but his source is shared on GitHub.